Blackbaud is a cloud services provider that is diversified into a number of different industries, but one of its central markets is higher education. The company is a contractor for some very prominent universities: Oxford, Exeter, Leeds and the University of London among others. That makes it an attractive and potentially devastating target for a supply chain attack, and that very thing appears to have happened in May. It took two months for the public to learn of the Blackbaud ransomware attack, however, as the company opted to pay the ransom and take its time in issuing a statement about it.
Blackbaud was lucky in that the attackers appear to have honored their terms and withdrawn after receiving payment, but a forensic investigation has revealed that they also appear to have absconded with some personal data. Blackbaud did not notify its clients of this data theft for weeks after the attack, creating yet another case study in the importance of monitoring contractors and having accountability measures in place in the event of supply chain attacks.
Blackbaud Ransomware threatens universities and charities in US, UK, Canada
Blackbaud reports that it detected an attempted ransomware attack in May of 2020; it frames the response as a “successful prevention,” but a number of other media sources are reporting that the company simply paid whatever ransom the attackers were asking.
The Blackbaud statement also acknowledges that a “subset of data” was exfiltrated from the network before the attacker’s access was removed. The company claims that this data set did not contain financial information or social security numbers, but does not specify exactly what was exfiltrated. Again, one must go to independent media sources which are reporting that Blackbaud lost personal contact information of staff and students (to include phone numbers) as well as information about events attended and histories of donations made to various universities and charities. Blackbaud says that impacted individuals have been contacted and “supplied with additional information and resources.”
Most of the universities impacted by the supply chain attack were in the United Kingdom, but there were several in the United States and two in Canada. The Blackbaud ransomware attack also impacted several charities and nonprofits based in the United States: Vermont Foodbank, Vermont Public Radio, Human Rights Watch, Northwest Immigrant Rights Project and Young Minds. The Smithsonian and the National Trust reportedly had their donor lists raided along with over a hundred other museums and galleries throughout the country.
The delay in reporting could be more than just a PR problem for Blackbaud; the impacted parties in the UK still fall under the protection of the General Data Protection Regulation (GDPR), which mandates that breaches of this nature be reported to the appropriate regulatory authority within 72 hours. Blackbaud also claims that the attackers “confirmed” that they destroyed all exfiltrated data once the ransom was paid, but there is really no way to verify such a claim. Many of Blackbaud’s clients were required to issue their own data breach disclosures to their own customers upon learning of the incident, creating the potential for civil liability issues due to slow reporting.
The company is one of the largest cloud service providers in the nonprofit space, with over 45,000 customers in 100 countries making use of its hosted environments. Though the Blackbaud ransomware incident impacted a relatively small amount of the customer base, the institutions hit by the supply chain attack were often either quite prominent or unusually vulnerable.
An uptick in attacks on universities
The Blackbaud ransomware incident demonstrates how the prolonged changes brought on by the Covid-19 pandemic have caused some shifts in priorities for hackers, making certain categories of organization more attractive than before. Schools and universities are one example. Many more classes and administrative details are being conducted online, and schools are largely leaning on cloud services to carry the added load. That creates more potential entry points for attackers, and supply chain attacks are often the easiest way in. Universities have a great deal of information that is of interest to them: personal details such as student and employee contact information and social security numbers, bank account numbers on file for financial aid transfers, valuable confidential research and more.
Universities are seeing an uptick in all sorts of cyber attacks during the Covid-19 pandemic, from targeted phishing to attacks similar to the Blackbaud ransomware attempt. Many small-time criminals are taking advantage of the conditions to run fairly standard attack types for profit, but some universities can also become targets of the most advanced state-sponsored groups seeking classified research. Given the possibility of supply chain attacks, the security is only as good as the weakest vendor that has access to sensitive information.
Adam Laub, General Manager for Stealthbits Technologies, notes that the trend that the Blackbaud ransomware represents has not gone unobserved by the general public and has led to greater concern about the safety of virtual classes: “What most individuals are concerned about is not necessarily how their data is being used – although this is an important topic – but how it is being protected. While no organization is immune to the possibility of data breach, many are still overly exposed due to a wide variety of factors, from a lack of funding, expertise, or time to focus on the wrong controls or false expectations about what they’re actually able to detect, prevent, mitigate, or respond to when faced with a legitimate threat. Focus on the basics would be a significant step in the right direction for most organizations, as external threat actors continue to feast on weak passwords and authentication, lax security policies and access controls, and a treasure trove of privileged accounts with persistent access rights that are ripe for the picking the moment they gain a foothold within almost any enterprise.”
Ultimately, securing against the wave of opportunistic hacking represented by the Blackbaud ransomware incident comes back to the same practices that should be in place to manage the risk of all types of supply chain attacks. Organizations need a vendor management program that has a solid vetting process in place for all new partners, along with carefully-considered contracts that spell out vendor data security requirements (both in terms of active protection and responsibilities in the wake of a successful supply chain attack). While this certainly creates extra work given the increased dependence on cloud services at present, it is vital to prevent an even more costly security incident. Authorities and cybersecurity experts generally do not advise paying ransoms to attackers as they cannot be trusted and it encourages further attacks — the primary means of recovery should be a robust and regular system of backups.